Project

General

Profile

Bug #465

Description input validation too strict

Added by Chris Buechler over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
Start date:
04/01/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

The input validation on description fields in firewall rules at a minimum, possibly elsewhere, is too strict. The default LAN description in 1.2.x isn't allowed, "Default LAN -> any". I see it's changed to remove that default, but we cannot make rules on countless thousands of systems uneditable after they upgrade, that has to be changed back to allow "->".

Associated revisions

Revision 08825acc (diff)
Added by Seth Mos over 9 years ago

Allow the use of ">" in filter rule descriptions. Even whilst stripping the > before the comparison htmlentities
will still trigger on the <. It is safe to assume here that creating any sort of html tag is unlikely. Ticket #465

History

#1 Updated by Ermal Lu├ži over 9 years ago

  • Status changed from New to Feedback

We can encode all description fields with base64 so no problems should arise.

Agreed?

#2 Updated by Jim Pingle over 9 years ago

That may be too harsh. Having those descriptions be readable in the config.xml is a large benefit, IMHO.

#3 Updated by Erik Fonnesbeck over 9 years ago

It also might work to encode the characters using HTML and depend on the web browser to decode the text, instead of having to add code for decoding it before sending it out to the browser.

#4 Updated by Seth Mos over 9 years ago

  • Status changed from Feedback to Resolved

stripping the < character before comparison works here. Confirmed that it still triggers on <

Also available in: Atom PDF